29 lines
941 B
JavaScript
29 lines
941 B
JavaScript
// Shared-secret auth for customer-lookup endpoints that expose PII.
|
|
// The acot-phone-server sends `x-acot-api-key` on every request; we compare
|
|
// against ACOT_PHONE_API_KEY from the environment using timing-safe comparison.
|
|
|
|
const crypto = require('crypto');
|
|
|
|
function requirePhoneApiKey(req, res, next) {
|
|
const expected = process.env.ACOT_PHONE_API_KEY;
|
|
if (!expected) {
|
|
console.error('ACOT_PHONE_API_KEY not configured; rejecting all requests');
|
|
return res.status(503).json({ success: false, error: 'auth_not_configured' });
|
|
}
|
|
|
|
const provided = req.get('x-acot-api-key') || '';
|
|
const expectedBuf = Buffer.from(expected);
|
|
const providedBuf = Buffer.from(provided);
|
|
|
|
if (
|
|
providedBuf.length !== expectedBuf.length ||
|
|
!crypto.timingSafeEqual(providedBuf, expectedBuf)
|
|
) {
|
|
return res.status(401).json({ success: false, error: 'unauthorized' });
|
|
}
|
|
|
|
next();
|
|
}
|
|
|
|
module.exports = { requirePhoneApiKey };
|